CVE-2014-5177

Priority
Description
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control
is enabled, allows local users to read arbitrary files via a crafted XML
document containing an XML external entity declaration in conjunction with
an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML,
(3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5)
virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7)
virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML,
(10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12)
virConnectDomainXMLToNative, (13) virSecretDefineXML, (14)
virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16)
virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18)
virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to
an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from
CVE-2014-0179 per ADT3 due to different affected versions of some vectors.
Notes
 mdeslaur> non-default configuration
 mdeslaur> same fix as CVE-2014-0179
Assigned-to
mdeslaur
Package
Upstream:released (1.2.4-1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1.2.2-0ubuntu13.1.5)
More Information

Updated: 2019-03-19 12:15:23 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)